Wondering if anyone has setup Dex to authenticate to an OIDC IDP like Globus or CiLogon instead of local LDAP. I have setup OIDC directly in the OOD configs many times but I am wondering if anyone has done it via Dex before.
I suppose the main reason of wanting Dex in front doing the OIDC bits would be so one can utilize and customize the Dex splash page instead of when one does it via the OOD direct OIDC where the second you hit ood being unauthed, it just bounces you out to the IDP you are using.
I have not, but apparently it can be configured to do it.
Though I have to say that OSC uses Keycloak for this. Keycloak is able to actually map and retain those mappings from the extrenal provider. If you connected Dex to CiLogon you’d likely have to do all the mapping yourself.
For example I use CiLogon at OSC and authenticate as my OSU user (ohrstrom.4). Keycloak knows this and is connected to the OSC LDAP. So when I authenticate as ohrstrom.4 from OSU - Keycloak maps me to my OSC user and lets me in.
Thanks, I was following that but was having issues and was wondering if A, the ood-portal.yml dex section would properly make the dex conf during generation when setting those bits and B, if anyone had done it before.
I also have a production OOD that has keycloak in front of it (first one I ever setup actually) and it does the same as you guys have with ldap. For other deployments that just use oidc directly to OOD I just have custom user_auth_mod.sh that do ldapsearch’s and handle mapping.
Just be careful with this. This sh script gets executed always on every single request. This is why I recommend Keycloak, for performance really. You’re invoking a shell script that’s reaching out to ldap on every single page (and all the assets that are loaded for that page, so that’s js files and images and so on), so it can get pretty hairy pretty quickly. Especially say if ldapsearch begins to slow down, that’s going to bubble up to apache in response times.
But to answer you’re question, it seems like you should be able to provide settings other than LDAP do that dex configuration. If you can’t, that’s a bug on our side because you should be able to.
Ah, that is very good to know, re performance. I am surprised I have not had an issue up to this point then. I will keep working on the dex oidc bits and update this so I can give an example in case anyone in the future comes looking.
I would suggest making note of that in the docs if its not in there already. I imagine I am not the only one who has been using that shim to do some more complicated stuff.